Kernel Malware��

���������: The
�����������
Attack from
����� Within
������

Kimmo Kasslin
F-Secure
Kuala Lumpur
Malaysia
kimmo.kasslin@f-secure.com

Abstract
The Kernel is the heart of modern operating systems. Code executing in kernel mode has full access to all memory including
the kernel itself, all CPU instructions, and all hardware. For this obvious reason only the most trusted software should be
allowed to run in kernel mode.

Today, we are facing an emerging threat in the form of kernel-mode malware. By kernel-mode malware we mean mali-
cious software that executes as part of the operating system having full access to the computer’s resources. To the end-user
this means malware that can bypass software firewalls and can be almost impossible to detect or remove even if the best
anti-virus solutions are being used.

This paper will examine the most important malware cases utilizing kernel-mode techniques over the last few years. The re-
search will be limited to malware running on Windows NT and later operating system versions. It will look at the possible
motives for the malware authors to move their creations to kernel mode. A detailed analysis of the key techniques making
their existence possible will be covered.
Introduction system memory, all CPU instructions, and all hardware.
The architecture of the Intel x86 processor supports four
privilege levels, or rings, numbered from 0 to 3. The great-
A modern malware, backdoor, email-worm, spying tro- er numbers mean lesser privileges. Windows uses privi-
jan, operating fully in kernel mode on a Windows NT- lege level 0 for kernel mode and privilege level 3 for user
based operating system is a scary thought. It would oper- mode.
ate with same privileges and share all the same resources
as the operating system itself and compete with any se- To provide protection to the virtual memory, the OS
curity solutions protecting the systems integrity against keeps track from which privilege level each memory page
any malicious activities. This would end up in an arms can be accessed. Pages in system address space can be only
race between the malware and the security suite. The one accessed from kernel mode, which protects them from
that is able to execute first or being able to control the user-mode processes. Since code running in kernel mode
lowest parts of the operating system eventually will be has full access to system memory, it can easily bypass any
the winner. Usually, this means doing tricks that are not security mechanism provided by the OS and destroy its
documented or supported by Microsoft and will result in integrity.
version dependencies causing instability or even system
crashes in the worst case. This is a path any serious secu- Drivers run in kernel mode and third party drivers can be
rity software vendor will not take. However, the world is installed and loaded with administrative privileges. This
full of examples of malware and proof-of-concept code is the only documented and supported way of executing
that does exactly this. kernel-mode code. Other undocumented means do exist
and they are explained in more detail in a later section
This paper is about malware operating fully or partially in
kernel mode. It will discuss basic requirements for such For detailed information about the inner workings of
malware and survey the known and semi-documented Windows NT-based operating systems the author recom-
techniques that make it possible for malware writers to mends the excellent book by Solomon and Russinovich
enter into and operate in ring 0. The paper ends with ana- [34].
lyzing two sample cases of malware that have played an
important role in opening eyes of the security community Kernel Malware
to the threat kernel malware poses. Kernel malware is malicious software that runs fully or
partially at the most privileged execution level, ring 0,
Basic Definitions having full access to memory, all CPU instructions, and
all hardware. It is convenient to divide kernel malware
into two subcategories: full-kernel malware and semi-ker-
To have a better understanding of the topic the reader nel malware.
should be familiar with some basic concepts of a modern
operating system. Terms such as processes, threads, vir- Full-Kernel Malware
tual memory and the difference between user and kernel
Full-Kernel malware is fully implemented as kernel-mode
modes should be familiar to the reader. The most impor-
driver and executes all its code in ring 0. It still requires
tant concepts, including important definitions to avoid
some help from user mode to get installed into the system
misunderstandings are introduced here.
either by a dropper component or manually by the user.
Kernel Mode vs. User Mode Once the driver has been installed it will be able to oper-
ate by itself.
One of the design goals for Windows NT was reliability
and robustness [34]. The main requirement was to protect Semi-Kernel Malware
the kernel from external tampering by user-mode applica-
Semi-Kernel malware executes its code both in ring 0
tions. To address this, the system was divided into two dif-
and 3. This includes malware that consists of a user-mode
ferent modes of operation: user mode and kernel mode.
executable (EXE or DLL) that will drop a kernel-mode
User applications run in user mode. They are unprivileged
driver or use other means to execute code in ring 0. Mal-
processes with limited access to system resources. User-
ware that is fully implemented as kernel-mode driver but
mode processes access these resources controlled by the
executes parts of its payload in ring 3, e.g. through code
kernel through services provided by the kernel.
injection, in the context of some process is also semi-ker-
Operating system services and third party drivers run nel malware.
in kernel mode. In kernel mode, they have access to all

AVAR 2006 - Auckland

History and Trends of Kernel Malware sample collections had, meaning that they are either full-
kernel malware or parts of semi-kernel malware. In addi-
tion, the number of new malware families that use kernel-
Kernel-mode malware on Windows NT-based systems mode drivers was identified. It is important to notice that
is not a new phenomenon, they have just been rare. just looking for drivers will not include kernel malware
WinNT/Infis [24], which was discovered in November that use other means, like code injection or call gates, to
1999, was the first known full-kernel malware that was execute their code in ring 0. However, this would require
designed to run on NT-based systems. It was a memory- run-time analysis of the samples, which was not possible
resident parasitic kernel-mode driver virus that gained to achieve within the given time frame.
control by hooking the INT 0x2E interrupt handler
directly from kernel. This allowed it to monitor every Each sample in the monthly collection was first checked
system service call made by user-mode applications and whether it had a proper PE header. If the result was posi-
to infect PE EXE files when an open request was made. tive then additional tests were made against the optional
Win2K/Infis.4608 [35] added support for Windows header field. Following basic checks were made to include
2000 and was found just one week after the new operat- only samples that are possibly kernel-mode drivers for
ing system was released. Windows NT and later operating system versions:

Another documented case involving kernel-mode mal-
ware was Virus.Win32.Chatter [2][36], which was
found in January 2003. It was a kernel-mode driver that
infects only PE SYS files. It hooks nt!NtCreateFile from
nt!KiServiceTable and thus gets control on every file open
and create operation. However, its infection routine was
actually executed in user mode. Therefore it is a semi-
kernel malware. The driver copied itself into the address
space of the active process and used an undocumented
nt!KeUserModeCallBack function exported by the kernel
to execute the infection routine in user mode. This might
have been the first time for kernel malware to inject parts
of its payload from ring 0 to ring 3 to perform some more
complex tasks. This code injection from kernel to user
■ Magic field equals IMAGE _ NT _ OPTION-
AL _ HDR32 _ MAGIC
■ Subsystem field equals IMAGE _ SUBSYS-
TEM _ NATIVE
■ MajorSubsystemVersion and MinorSub-
systemVersion fields were checked against the
correct platform and version information
In addition all duplicate files were removed by checking
their MD5 hash. The results are shown in Figure 1 be-
low.
Malware Families Vendor X Vendor Y

mode is an important concept and will be discussed in

80 6
more detail later in this paper.
70
5

No. new families

60
Today the number of kernel-mode malware when com-
No. samples

4
50
pared to the total number of malware seen every month is 40 3
very small. Also, it should be noted that the antivirus in- 30
2
20
dustry has not yet seen any complex malware that would 1
10
fulfill the requirements for full-kernel malware. To get a 0 0
better view of how real the threat posed by kernel mal-
Ap 0 3

Ap 0 4

Ap 0 5

Ap 0 6
O 03

O 04

O 05

6
Ju 3

Ju 4
Ja 03

Ja 04

Ju 5

Ja 05

Ju 6
l-0
r-0

r-0

r-0

r-0
n-

n-

n-

n-

ware is, it is important to find some evidence of real-life

-

-
l-

l-

l-
ct

ct

ct
Ja

malware samples using kernel-mode components.

Antivirus analysts who have been analyzing malware
samples since the beginning of 2005 should agree that
the number of malware using kernel components has
been steadily increasing. To get more proof of this trend
a statistical analysis was conducted. The author chose two
antivirus vendors and processed all monthly sample col-
lections from January 2003 to August 2006. On average
this resulted in around 100000 samples per vendor. The
idea was to find out how many kernel-mode drivers the
.�������������������������������������������������������
Also
������������������������������������������������������
know as W32.Keck.1933 (Symantec) and W32/Chatter
(McAfee).
Figure 1. Number of malicious kernel-mode driver samples
found from each vendor collection per month. Also, in-
cludes the number of new malware families found to use
kernel-mode components.
Before discussing more about the results it should be
noted that there exists possible factors of uncertainty to-
wards the validity of the results. This is mostly related to
the quality of the data these results are based on. The au-
thor is not trying to imply that there is anything wrong
with the collections, it is just a known problem in the
antivirus industry that proper classification and naming
AVAR 2006 - Auckland
of malware is impossible with the amount of samples the Trojan-Clicker.Win32.Costrat Backdoor.Rustock.B Spam-Mailbot.c trojan
industry have to handle every day.
Other important families worth to mention that have
Also, normally drivers are embedded inside the main been seen to utilize kernel-mode code are Email-Worm.
malware component and will be dropped to the system Win32.Bagle and Mydoom-based Email-Worm.Win32.
when the main component is executed. However, quite Gurong [10]. In addition usage of kernel-mode rootkit
often the dropped driver is named by its characteristics, drivers has been very common in IRC bots such as Back-
e.g. Hacktool.Rootkit, not by the malware using it. From door.Win32.SdBot and Backdoor.Win32.Rbot.
the end-user’s point-of-view this is a good thing but it
makes it very difficult for researchers to make any conclu- The high rise in popularity of kernel malware can be
sions how many different families are using kernel-mode mostly explained by the increased motivation for malware
components without actually executing every sample and authors to hide their creations from detection as long
checking what kind of components they are dropping to as possible. To hide even better they have started to use
the system. kernel-mode rootkit techniques as more and more doc-
umentation, examples and fully working examples with
Despite all the uncertainty the author feels confident full source code has become publicly available. However,
to make a conclusion based on the achieved results that there are other motives for malware to move to kernel,
number of kernel-mode malware has steadily increased probably most important ones being firewall and antivi-
during the investigated time period. This is very evident rus scanner bypassing.
from year 2005 onwards, which is mostly explained by
the increased number of malware starting to use kernel- Key Techniques Used by Kernel Malware
mode rootkits to hide their presence on the compromised
system. There is a noticeable difference in the number of
samples from 2005 onwards between the two vendors. In One reason why kernel malware has been so rare is that
vendor Y’s case the curve is more stable where the amount developing kernel-mode drivers is not easy. The environ-
of driver samples has approximately tripled every year. ment limits the developer’s creativity since it offers only a
The raw number of new samples per month is not that limited number of exported library functions, documen-
interesting since these samples contain lots of variants of tation is limited and there is less examples and source code
the same family. Probably more interesting information available that can be used as a template for the malicious
is the number of new malware families that were identi- work. Today the situation is changing. More information
fied to be using kernel-mode drivers. This gives a better is published about how to do things required by today’s
picture of the kernel malware trend. malware directly from kernel mode. This includes how to
implement better rootkits, how to bypass personal fire-
During year 2003 an average of 0.67 new malware fami- walls and how to create backdoors and IRC bots.
lies per month were identified to utilize kernel-mode driv-
ers. Year 2004 was still quite calm when an average of one To better understand the threat of kernel malware it is im-
new family per month was identified. The trend changed portant to know how they work. This chapter tries to give
dramatically during year 2005 when an average of 3.42 a brief introduction on the key techniques that are used
new kernel malware families was found. Since then things by kernel malware.
have calmed down a bit but the usage of kernel malware is
still growing strongly with an average of 2.63 new families Executing Code in Ring 0
found each month. Table 1 contains the list of most active The first requirement for a malware trying to obtain the
families based on the number of new variants seen. powers of kernel malware is to execute its code in the most
privileged level – ring 0. The author has seen malware us-
Table 1. Most commonly used kernel-mode malware. ing two different techniques to achieve this, kernel-mode
F-Secure Symantec McAfee
drivers and call gates.
Backdoor.Win32.Haxdoor Backdoor.Haxdoor Backdoor-BAC
Backdoor.Win32.HacDef Backdoor.HackDefender HackerDefender trojan Kernel-Mode Drivers
Trojan-Spy.Win32.Banker Infostealer.Bancos PWS-Banker trojan
Backdoor.Win32.PcClient Backdoor.Formador BackDoor-CKB trojan
The only documented way to execute third party kernel-
Trojan-Spy.Win32.Goldun Trojan.Goldun PWS-Goldun trojan
mode code is to install a kernel-mode driver. They are
Trojan.Win32.Crypt.t Spyware.Apropos.C Adware-Apropos loadable kernel-mode modules, usually having extension
SpamTool.Win32.Mailbot Backdoor.Rustock.A Spam-Mailbot trojan .sys, and execute in one of three contexts:

. This is a generic detection name used by Symantec for rootkits. ■ In the context of user-mode thread that initiated an

AVAR 2006 - Auckland

 I/O handler function HKEY _ LOCAL _ MACHINE\System\Current-
ControlSet\Services
■ In the context of kernel-mode system thread
The driver can be started by passing the service object
■ In the context of random thread as a result of an handle to the StartService API function. This
interrupt causes the system to perform some actions that are simi-
lar to loading a normal user-mode DLL. An image of the
Structurally they are identical to any other PE file. Kernel- driver’s PE file is loaded into system address space and the
mode drivers can use support routines that are exported entry point of the driver is called. The entry point is also
by various components of the OS kernel. These routines known as the DriverEntry, which has following pro-
support I/O, configuration, Plug and Play, power man- totype [22]:
agement, memory management, and numerous other OS
features. [34]
NTSTATUS
Typically, drivers are loaded and started at OS boot time. DriverEntry(
However, Windows API provides necessary functions IN PDRIVER _ OBJECT DriverObject,
that allow loading and unloading drivers at run time. This IN PUNICODE _ STRING RegistryPath
);
is done by the Service Control Manager (SCM). A new
driver can be installed with the CreateService API func-
DriverEntry routine always runs in the context of
tion. This function has the following syntax [37]:
the system thread. This routine is called only once dur-
SC _ HANDLE ing the lifetime of the driver and its only purpose is to
CreateService( initialize the driver. However, this is all that is required
SC _ HANDLE hSCManager, for the malware to execute its payload, which quite often
LPCTSTR lpServiceName,
involves hooking kernel functions or installing additional
LPCTSTR lpDisplayName,
DWORD dwDesiredAccess, notification functions or system threads to perform any
DWORD dwServiceType, further work. [22]
DWORD dwStartType,
DWORD dwErrorControl, There exists another way to load and execute a kernel-
LPCTSTR lpBinaryPathName, mode driver from user mode.
LPCTSTR lpLoadOrderGroup,
LPDWORD lpdwTagId,
This method is not documented by Microsoft in any way.
LPCTSTR lpDependencies,
LPCTSTR lpServiceStartName, The existence of this method was announced by Hoglund
LPCTSTR lpPassword [38] in his post to the BugTraq mailing list.
);
More recent information can be found in the book writ-
Here, the important parameters are hSCManager, ten by Hoglund and Butler [15]. This method uses the
dwServiceType, dwStartType, and lpBina- ZwSetSystemInformation function exported by
ryPathName. The hSCManager parameter is a han- Ntdll.dll and has the following syntax [23]:
dle to the SCM database, which can be obtained with the
OpenSCManager API function. The dwService- NTSYSAPI
NTSTATUS
Type parameter specifies the type of the service that will NTAPI
be installed. In this case, it must have the value of SER- ZwSetSystemInformation(
VICE _ KERNEL _ DRIVER. The dwStartType IN SYSTEM _ INFORMATION _ CLASS
parameter defines the startup behavior of the driver when SystemInformationClass,
the system boots up. The final parameter of interest is the IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength
lpBinaryPathName, which is a pointer to a null-ter-
);
minated string that contains the fully qualified path to
the driver binary file. [37]
The SystemInformationClass parameter speci-
A successful call to the CreateService API function fies the type of system information to be set. In this case
creates a service object, returns a handle to this object, it is set to value of SystemLoadAndCallImage,
and installs the service in the SCM database by creating a which is part of the SYSTEM _ INFORMATION _
key with the same name as the service under the following CLASS enumeration. The SystemInformation pa-
registry key: rameter points to the data will be set. In this case, it will be

AVAR 2006 - Auckland

defined as a structure that has the following syntax [23]: calMemory, which allows a user-mode application to
map portions of the physical memory into its own address
typedef struct _ SYSTEM _ LOAD _ AND _ CALL _ space. This technique is known to malware and has been
IMAGE {
UNICODE _ STRING ModuleName; used before by some malware variants to hide themselves
} SYSTEM _ LOAD _ AND _ CALL _ IMAGE, *PSYS- using rootkit techniques [21]. This technique has its
TEM _ LOAD _ AND _ CALL _ IMAGE; problems since it accesses physical memory. The malware
needs to calculate virtual to physical address translation
The ModuleName element specifies the full path of the correctly. Email-Worm.Win32.Fanbot.j was the first one
module that will be loaded in Unicode format. The last that did the translation properly and therefore had better
parameter of the ntdll!ZwSetSystemInformati support for different OS versions [4].
on function specifies the size in bytes of the data pointed
by the SystemInformation parameter. After a suc- The second method to access the system address space
cessful function call, the system loads the module into the from user mode is more useful because it uses virtual ad-
system address space and calls its entry point. This tech- dresses instead of physical addresses. This method uses
nique has both good and bad features. the ZwSystemDebugControl function exported by
Ntdll.dll and has the following syntax [23]:
The upside for malware is that it leaves no information
into the SCM database. This method provides malware a NTSYSAPI
NTSTATUS
way to load and execute a kernel-mode driver in a single NTAPI
operation without leaving any traces of its existence in the ZwSystemDebugControl(
registry. Because the SCM is not aware of the driver, it IN DEBUG _ CONTROL _ CODE ControlCode,
is not able to control it in any way. The driver cannot be IN PVOID InputBuffer OPTIONAL,
unloaded and it will survive in memory until the next re- IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
boot. IN ULONG OutputBufferLength,
OUT PULONG ReturnLength OPTIONAL
The downside for malware is that the driver will not be );
started after the system has been rebooted. Another prob-
lem is that memory for the driver image will be allocated To use this function the caller is required to have the
from the paged pool, which restricts the kind of opera- SeDebugPrivilege enabled. The important field
tions the driver can execute. Otherwise it risks of crashing here is the ControlCode, which defines the mode of
the system with a blue screen. There are ways to avoid this operation. Valid values are defined in the DEBUG _ CON-
problem but it will make the driver code more complex TROL _ CODE enumeration. However, this enumeration
and harder to maintain [15]. has not been documented since Windows 2000.
As expected, the documented way is the one used by most Randnut’s [26] post to the Bugtraq mailing list showed
malware to execute code in kernel mode. If it works, there that new features were added to the ntdll!ZwSystem
is no reason for malware to search for alternate means. DebugControl function on Windows XP and 2003.
This might change in the future when more security prod- The essential information was posted to a public discus-
ucts start to block loading of kernel-mode drivers. sion forum by a person known as Bilbo. He claimed that
it was possible to write to the system address space by set-
ting the ControlCode parameter to the value of nine.
Call Gates He also posted the following example code:
Call gates are a less known technique to execute third
party kernel-mode code. They are provided by the Intel /*
* write a buffer to kernel space
architecture and can be used to transfer program con- */
trol between different privilege levels. Call gates reside in struct {
the system address space. A user-mode process has to be LPVOID kernel _ addr;
able to modify it to add its own call gate. This is possible LPVOID user _ addr;
through two undocumented Windows OS features that DWORD len;
} mem;
are discussed next.
void
The first method was first discovered by Mark Russino- wr(LPVOID dst, LPVOID src, DWORD len)
vich [32] and it was further documented by Crazylord
.�����������������������������������������������������
Also
����������������������������������������������������
known as W32.Fanbot.A@mm (Symanted) and W32/My-
[3]. It uses a section object named \Device\Physi- tob.gen@MM (McAfee).

AVAR 2006 - Auckland

 { it points to the first instruction of a specific procedure.
mem.kernel _ addr = dst; The Descriptor Privilege Level (DPL) field
mem.user _ addr = src;
mem.len = len; indicates the privilege level required to access the selected
ZwSystemDebugControl(9, &mem, procedure through the gate. The Parameter Count
sizeof(mem), 0, 0, 0); field indicates the number of parameters to copy from the
} calling procedures stack to the new stack if a stack switch
occurs.
This made it possible for easy access to kernel-mode mem-
ory without any need to for complex address translation A call gate is used by specifying a far pointer to the gate
calculations. Lately, ntdll!ZwSystemDebugCont as the target operand in a CALL or JMP instruction. The
rol function was documented in much detail by Alex pointer consists of a segment selector and an offset. The
Ionescu [20]. This might result in more malware using segment selector identifies the call gate and the offset is
this approach to enter the kernel. So far the author has required, but not used. When the processor has accessed
not encountered any malware samples that had used this the call gate and the privilege checks has been success-
technique. fully passed, it uses the segment selector from the call
gate to locate the segment descriptor for the destination
Microsoft has realized the potential problem these un- code segment. It then combines the base address from the
documented backdoors to the system address space pose code-segment descriptor with the offset from the call gate
to the overall security of their operating systems. Since to form the linear address of the procedure entry point in
Windows Server 2003 SP1 they can no longer be called the code segment. Figure 3-2 illustrates this process.
from user mode [20].

Now that we know the techniques to install the call gate

from ring 3 it is time to see how they actually work. Call
gates are based on the same techniques the OS uses when
it executes kernel-mode code on behalf of the user-mode
application. At the lowest level, this separation of privi-
lege levels is implemented by the protection mechanism
provided by the Intel processors, also known as protected
mode of operation. The reader is assumed to be familiar
with concepts such as memory segmentation and privi-
lege levels. For more information, the reader is advised to
refer to the Intel manuals [16][17][18][19].
Figure 3. Call-gate mechanism Source: [19]
To provide a controlled way to transfer program control
between different privilege levels the Intel architecture To execute code residing in user address space at ring 0, all
provides a facility called call gates. A call gate is defined that has to be done is to add a new call gate to the GDT.
by a call-gate descriptor, which may reside in the Global The address and size of the GDT can be obtained with
Descriptor Table (GDT) or in a Local Descriptor Table the SGDT instruction. The GDT is located at the system
(LDT). Figure 2 shows the format of a call-gate descrip- address space, so either physical memory device or ntdll!
tor. ZwSystemDebugControl technique can be used to
write the new call-gate descriptor to the GDT. The Off-
set field of the new call-gate descriptor will point to the
payload code. The Segment Selector field should
be set to a code segment that executes at ring 0. The final
thing to remember is to grant access to the call gate from
user mode by setting the DPL field to value 0x3.

Call gates are not a common technique used by today’s

Figure 2. Call-gate descriptor Source: [19] malware. The author has only encountered one case
where a malware used this technique to access ring 0. This
The Segment Selector field in a call gate speci- malware is detected as Email-Worm.Win32.Gurong.a
fies the code segment to be accessed. The Offset field [10][6]. Gurong.a installed a call gate through the physical
specifies the entry point in the code segment. Generally, .�������������������������������������������������������
Also
������������������������������������������������������
detected as W32.Mydoom!gen (Symantec) and W32/My-
tob.gen@MM (McAfee).
AVAR 2006 - Auckland
memory device. The ring 0 code was used to hide its pro- 0x7C90EA3E: C21400 RET 0x14
cess, file, and launch point from the registry. It achieved
this by hooking functions from nt!KiServiceTable The first instruction, MOV EAX, 0x115, tells the Sys-
and by removing its process object from internal kernel tem Service Dispatcher (SSD) that it should call function
lists. pointer from nt!KiServiceTable located at index
0x115. This function pointer is the address of the real
Using Kernel-Mode Support Routines service function that will perform the requested task. In
To fulfill the requirements for full-kernel malware the this case it would be nt!NtWriteVirtualMemory.
malware has to execute its entire payload in ring 0. The
difficulty level of implementing such malware can vary The basic idea is to load Ntdll.dll image from disk
from hard to impossible depending on the set of features into memory and then to find the entry point of the re-
it has to support. In case of a basic downloader, it prob- quired function from the PE header’s export table. Fol-
ably needs to perform following operations: lowing simple piece of code fetches the index which can
then be used to get the correct function pointer from the
■ It allocates memory for storing temporary data service table.
ulSSN = *(PULONG)((PUCHAR)pbNativeAPIFunction + 1);
■ It accesses internet to download the new payload

■ It stores the file on the file system This allows kernel-mode code to have the full Native API
in its arsenal. However, there are still limitations what can
■ It modifies the registry to make sure the new pay- be done and when. This is mostly caused by the fact that
load will be executed kernel-mode code can execute in one of three contexts –
user thread, system thread or random. If the code executes
The Windows kernel provides a set of documented sup- in user thread context and the thread’s PreviousMode
port routines that can be used by kernel-mode drivers field equals UserMode, then extra argument validation
to perform various tasks. These are documented in the is done for the passed parameters. This means that any
Windows Driver Kit (WDK) [22], which was previ- passed pointers must reside in user address space or oth-
ously known as the Windows DDK. In addition WDK erwise the operation will fail. The easiest way to solve this
contains many source code examples how different tasks is to make sure the routines are always called from system
can be performed. From the above list all tasks except ac- thread context.
cessing internet are very simple to implement from kernel
mode. Following functions would do the job: One topic that has not yet been discussed is how internet
can be accesses from ring 0. This is an important feature
■ ExAllocatePoolWithTag / ExFreePoolWithTag for the simple downloader since otherwise it will not be
able to fetch the new payload. This is currently the hot
■ ZwCreateFile / ZwWriteFile / ZwClose topic in the field of kernel malware. It is worrying to see
how the number of working solutions with full source
■ ZwCreateKey / ZwSetValueKey / ZwClose code is published by various authors [28][29][30][���� 15��]
that will eventually make it easier for more malware to
If the reader is familiar with Native API, then Zw* func-
enter the kernel. This topic is worth another research pa-
tions should look familiar. An excellent reference with
per and will not be discussed any further.
function prototypes is the Native API Reference book by
Nebbett [19]. The kernel exports only a subset of the func-
tions that are exported by Ntdll.dll. On Windows Executing Code in Ring 3
XP SP2 this subset consists of approximately 130 func-
tions out of 280. In case of unexported functions there are In an ideal world kernel malware should do all its tasks
ways to find the correct address to call. The best of them, from ring 0. However, this is not always feasible since it
and often used by malware, is to get this information from would require too much effort to implement some librar-
Ntdll.dll [27]. Every Zw* function in Ntdll.dll ies that are only available from user mode. In addition,
is implemented in similar way. Below is the disassem- there are situations where it is beneficial for the malware
bled version of ntdll!ZwWriteVirtualMemory: to execute at high enough level. A good example of such
0x7C90EA32: B815010000 MOV EAX,0x115
malware is a trojan that steal user’s banking credentials.
0x7C90EA37: BA0003FE7F MOV EDX,0x7FFE0300
Normally, communication between the client and server
is encrypted and encryption is done at user mode. If the
0x7C90EA3C: FF12 CALL DWORD PTR [EDX]
malware intercepted the data from kernel mode, it would

AVAR 2006 - Auckland

already be in encrypted format. In this case a better ap-
proach would be to execute parts of the code in ring 3 in
the context of the process where the credentials are stored
before encryption.
Malware that initially executes at ring 0 but later executes
parts of its payload in ring 3 has been very rare to the
author’s knowledge. Virus.Win32.Chatter, which was al-
ready mentioned, is one of them. Also, both sample cases
that will be investigated in more detail in the case studies // Schedule APC
use this approach.
che(pMdl, UserMode, MmCached, NULL, FALSE,
NormalPagePriority);
KeUnstackDetachProcess(&ApcState);
// Initialize APC
KeInitializeEvent(pEvent, NotificationEvent,
FALSE);
KeInitializeApc(pApc, pTargetThread, Origi-
nalApcEnvironment, &MyKernelRoutine, NULL,
MappedAddress, UserMode, (PVOID)NULL);
KeInsertQueueApc(pApc,pEvent,NULL,0)

There exist two methods that have been used by malware One important thing with user-mode APC is that the tar-
to accomplish this. First one involves allocating memory get thread has to be in alertable state before it will call the
from the target process, writing the payload into the allo- APC function [37].
cated buffer, and finally making sure that the process will
execute the payload either by hooking some function or So far the author has seen Valerino’s technique, which is
by modifying the context of one of its threads. The second the most advanced one, to be used by only one malware
one uses Asynchronous Procedure Call (APC) mecha- family, named SpamTool.Win32.Mailbot. In many ways
nism provided by the OS. The benefit of the second tech- this malware family is special and applies lots of ideas
nique from the malware point of view is that APC is a presented by various rootkit researchers into real-life mal-
normal operation and it would be very hard to identify ware. Mailbot will be discussed in more detail in Case
malicious APC operations amongst legitimate operations Study 2, later in this paper.
performed by the OS itself.
Case Study 1: Haxdoor
Solomon and Russinovich [34] define APC as a function
that provides a way for ring 3 and ring 0 applications to
execute code in the context of a chosen user thread and Haxdoor [7][8] is a powerful backdoor with rootkit and
hence a process address space. Windows OS supports spying capabilities. It has been around for a long time but
both user- and kernel-mode APCs. User-mode APC can especially during year 2006 it has received lots of attention
be used to execute code in ring 3. because of its involvement in various high-profile phish-
ing, pharming and identity theft attacks [13][14][1].
The idea of using user-mode APC to execute code from Haxdoor is a good example of today’s malware that uti-
kernel mode in ring 3 is not new. Anatoly Vorobey already lizes kernel-mode code to make its detection and removal
brought out this idea in year 1997 [25]. However, his ap- more difficult and to circumvent personal firewalls.
proach did not take into account the need to allocate and
map the ring 3 payload code into the address space of the First Haxdoor, named Backdoor.Win32.Haxdoor.a, was
target process. A complete solution with full source code found in August 2003. It had three components, a PE exe-
was published in rootkit.com by Valerino in February cutable, a DLL and a kernel-mode driver. The executable’s
2005 [31]. Below is a skeleton code to execute code from main purpose was to install and launch the other compo-
kernel mode in ring 3. nents. The DLL was the main part implementing back-
door and information stealing functionality. It utilized
pMdl = IoAllocateMdl(pPayloadBuf, the driver when it had to do operations that cannot be
dwBufSize, FALSE,FALSE,NULL);
done from user mode on Windows NT based platforms.
// Lock the pages in memory The services include low-level I/O operations, dumping
_ _ try of SAM database to a file and hooking of nt!NtQuerySy
{ stemInformation from nt!KiServiceTable to hide
MmProbeAndLockPages(pMdl, KernelMode, haxdoor’s process from other applications.
IoWriteAccess);
}
From those times Haxdoor’s driver has evolved but inter-
_ _ except (EXCEPTION _ EXECUTE _ HANDLER){}
estingly many of the old features are still present, includ-
// Map the pages into the specified process .�����������������������������������������������������������
Also
����������������������������������������������������������
known as Backdoor.Rustock.A (Symantec) and Spam-Mail-
KeStackAttachProcess(pTargetProcess, bot trojan (McAfee).
&ApcState); .����������������������������������������������������������
Also
���������������������������������������������������������
detected as Backdoor.Trojan (Symantec) and BackDoor-
MappedAddress = MmMapLockedPagesSpecifyCa BAC Trojan (McAfee).
AVAR 2006 - Auckland
ing I/O operations to enable/disable the keyboard, play-
ing such tricks as opening and closing the CD-ROM tray
or in the worst case resetting the CMOS.

During the last year, Haxdoor driver has changed very

little. The driver is actually very simple but still does some
extremely powerful tricks to make detection and removal
of it hard unless its inner workings are well known. Below
is the list of most important features it implements:

■ process and file hiding

■ protection of its own threads and processes against

termination

■ protection of its own files against any access

■ payload injection into created processes

Surprisingly it still misses some important features such as Figure 4. Haxdoor protects its own process against termi-
hiding of its launch points from the registry. Today, basic nation.
feature set of a rootkit-enabled malware includes at least
hiding of its files, registry keys/values and processes. Haxdoor’s file protection scheme is very simple but ex-
tremely powerful. Any user-mode code has a hard time
Process and file hiding are implemented by replacing trying to get access to any file under protection by the
function pointers for nt!NtQuerySystemInform malware driver. When the driver starts, it first opens a
ation and nt!NtQueryFileInformation in handle to the protected files with no share access which
nt!KiServiceTable with special hook functions gives it exclusive access to them. Just as a precaution it also
implemented by the driver. These hook functions first takes an exclusive lock over the whole file content by using
call the original service function that fetches the corre- nt!NtLockFile. Since this is done from the kernel in
sponding information from the system beneath and then the system thread context, the created handle is not acces-
remove any entries from the collected data that the mal- sible from user mode. Only way to bypass the file locking
ware wants to hide from other applications. is to do it from kernel.

Haxdoor protects its own threads and processes in a simi-
lar way. Instead it now hooks nt!NtOpenThread and
nt!NtOpenProcess. If the hook function notices
that another process tries to open a handle to the malware
process or any of its threads with PROCESS _ TERMI-
NATE or THREAD _ TERMINATE access rights, it
replaces the target id with the one of the calling thread or
process respectively. This results that the thread or process
trying to terminate the malware gets terminated instead.
Probably the most interesting and unique feature of the
driver is its payload injection into newly created process-
es. This is done by hooking nt!NtCreateProcess
and nt!NtCreateProcessEx functions from
nt!KiServiceTable. The former is used on Win-
dows 2000 whereas the latter is used on Windows XP
and Windows Server 2003. The consequence is that
when a new process is created the hook will be executed.
First, the hook calls the original function so that the new
process is actually created. Then, before returning control
to the creator it executes its additional payload, which is
illustrated in the following figure.

AVAR 2006 - Auckland

 In today’s standards its rootkit techniques are nothing
spectacular and properly designed kernel-mode real-time
antivirus scanners can easily detect and disable its files.
However, Haxdoor’s code injection technique can still be
considered extremely powerful and is still able to bypass
several firewalls even though protection against remote
code injection is considered to be a basic requirement for
a modern firewall.

Case Study 2: Mailbot aka Costrat

Mailbot [9] is the most powerful and stealthiest rootkit

seen so far. In many ways it puts into practice the ideas
of “Stealth by Design” malware introduced by Joanna
Rutkowska in January 2006 [33]. Latest Mailbot vari-
ants have only a single kernel-mode driver. However, they
are not full-kernel malware since they carry an encrypted
DLL that will be executed in ring 3. The DLL is a highly
Figure 5. Haxdoor injects its payload into newly created sophisticated spambot with backdoor capabilities. Today,
processes before they start to execute. Mailbot’s detection and removal is still a challenge to
most rootkit detectors and antivirus solutions.
The payload, detour _ NtCreateProcessEx,
First Mailbot, named SpamTool.Win32.Mailbot.a, was
first checks if the calling process belongs to the back-
found in December 2005. It had three components, a
door or if it is an important system process that should
PE executable, a DLL and a kernel-mode driver. The
not be tampered with. In case of a normal process it
PE executable was a dropper, which installed the other
executes the code that will do the actual injection. The
components. The DLL was the main component and it
purpose of the injection is to copy the position indepen-
was loaded into Winlogon.exe process when the system
dent code from the driver’s data section into the new pro-
started. The kernel-mode driver hooked three functions
cess’ address space and to insert an additional hook into
from nt!KiServiceTable, namely
ntdll!LdrLoadDll, which will trigger the injected
nt!NtEnumerateKey,
payload when the process starts to execute. First, the driv-
nt!NtEnumerateValueKey and nt!NtQuery
er calls nt!NtProtectVirtualMemory to change
DirectoryFile. Their purpose was to hide all files
protection to allow writing to those virtual memory pag-
and launch points created by the malware. In addition, it
es that will be overwritten by the hook. Then, it allocates
hooked IRP _ MJ _ CREATE, IRP _ MJ _ CLOSE
memory from the process’ address space and writes the
and IRP _ MJ _ DEVICE _ CONTROL handler func-
injected payload into it. Finally, it overwrites the begin-
tions from Tcpip driver object to hide all TCP and UDP
ning of ntdll!LdrLoadDll with a relative JMP in-
connections the DLL had established.
struction pointing to the new payload.
The author analyzed his first Mailbot variant, Spam-
The outcome is that whenever the process starts to load a
Tool.Win32.Mailbot.az [25], in 27th of May 2006 af-
DLL the injected code will be executed. What this code
ter it was submitted by a malware collector who had
actually does is out of the scope of this paper. Briefly, it will
noticed that every rootkit detection tool he was using,
prevent various security product related processes from
including F-Secure BlackLight, was not able to find
starting, it will load and execute the backdoor DLL and
the rootkit. It consisted only of a single kernel-mode
it will install additional hooks into numerous network
driver that was stored as hidden data stream attached
related functions that will allow it to conduct phishing,
to the system32 folder. In three weeks a new and im-
pharming and stealing of user credentials.
proved version of BlackLight was released that was again
Haxdoor is special in many ways. Its early deployment able to find the hidden driver from the system [12].
of kernel-mode code and rootkit techniques has made it
to stand out from the rest. Its usage of kernel-mode hid-
.����������������������������������������������
Detected
���������������������������������������������
also as Hacktool.Spammer (Symantec).
ing, self-protection and remote injection techniques has .���������������������������������������������������������
Detected
��������������������������������������������������������
also as Backdoor.Rustock.A (Symantec) and Spam-
made it challenging for security products to deal with. Mailbot trojan (McAfee).
AVAR 2006 - Auckland
It was evident that this malware was something special.
Since then the author has been closely following its evo-
lution and analyzing its inner workings. This malware
applies into real-life many ideas that have been discussed
in various rootkit-related sites and security conferences.
From the disassembled code it becomes quite evident that
the malware author has benefited from source code pub-
lished in rootkit.com and the book about rootkits [15]. A
detailed analysis of the Mailbot was recently published in
VB Magazine September issue [5].
A new variant of Mailbot appeared in 3rd of July and it
went a step further in its stealth capabilities. Interest-
ingly it was named as Trojan-Clicker.Win32.Costrat.a.
Since detailed information is available of the old variants
[9][5], the rest of this chapter will talk about some of the
new features . Figure 6 shows the new main routine of a
recent Costrat variant.
Figure 6. Main routine of Trojan-Clicker.Win32.Costrat.
SpamTool.Win32.Mailbot.az took control of the System ule. The disassembly of the handler function shows how
Service Dispatcher (SSD) by hooking INT 0x2E and Costrat redirects the execution through this address to
IA32 _ SYSENTER _ EIP MSR handler function. A the real hook function.
thread trying to execute any of the following service func-
tions was redirected to a modified version by setting the Latest Costrat variants have introduced a new feature that
thread’s KTHREAD->ServiceTable field to point to has not previously been available. They hook a new sys-
another table created by the malware.
■ NtCreateKey
■ NtDeviceIoControlFile
■ NtEnumerateKey
.���������������������������������������������������������
Detected
��������������������������������������������������������
also as Backdoor.Rustock.B (Symantec) and Spam-
Mailbot.c trojan (McAfee).
AVAR 2006 - Auckland
■ NtOpenKey
■ NtQueryKey
■ NtQuerySystemInformation
■ NtSaveKey
Mailbot’s approach to hook service functions on a thread-
level basis was unique and the stealthiest seen so far. Fo-
rensic tools have mainly been looking for hooks from
nt!KiServiceTable and from inside system service func-
tion. Thus they were not successful in finding mailbot’s
hooks. The problem was still that some more advanced
tools checked the address of INT 0x2E and IA32 _
SYSENTER _ EIP MSR handler functions. If the ad-
dress was outside the kernel module, it was a clear indica-
tion that something suspicious was going on.
Costrat solved this problem by searching for unused
memory inside the kernel module and then redirecting
the hook through this address. This is clearly illustrated
by the following kernel debugger dumps:
kd> rdmsr 176
msr[176] = 00000000`806c15bd
kd> lm a 806c15bd
start end module name
804d7000 806e2000 nt
kd> u 806c15bd
nt! _ NULL _ IMPORT _ DESCRIPTOR <PERF>
(nt+0x1ea5bd):
806c15bd e9a249bd77 jmp
lzx32!SysCallHookGen (f8295f64)
The debugger output shows that the handler function is
in address 0x806c15bd which is inside the kernel mod-
tem service function named NtTerminateProcess.
The actual hooking is implemented in identical way but
the hook itself is special. The purpose of the hook is to al-
low for the injected DLL to communicate with the driver
without leaving any extra traces to the system. Figure
�����������7
shows the disassembly of the kernel-mode hook function
and the relevant code from the DLL where the covert
channel is used.

Figure 7. User-mode DLL uses the private communication
channel and instructs the driver to update itself.
Latest Costrat variants are able to update themselves on-
the-fly from the control servers. The DLL uses its private
communication channel to instruct the driver to replace
its file on the disk with the new version. Then it com-
mands the driver to inject and execute the new DLL into
services.exe. Finally the old DLL releases its resources and
terminates. From this point onwards the new DLL is ac-
tive and interoperates with the old driver. The new kernel-
mode code is taken into use only after reboot. Lately this
feature has been used quite often to update the list of IP
addresses and DNS names it uses when it needs to con-
nect to its control server. This makes it extremely hard to
disable the bot network by trying to shutdown its control
servers.
Mailbot aka Costrat is powerful. It has features that should References
not go public. One example is its ability to fully bypass
filter drivers. Real-time antivirus scanners and some fire-
walls are often implemented as filter drivers. They can’t do 1. AusCERT - Media Release - Response to recent
anything if the malicious data never goes through them.
Conclusion
Current security solutions, including antivirus scanners
and firewalls, have not been designed to protect the end-
user against malicious software that operates in ring 0.
3.
There are good reasons for this. One reason is that once
the malware executes its code with same privileges as the
OS itself, it will become an arms race between the good
and bad. This has already been seen with rootkits and their
anti-detection engines. After the rootkit notices that it is 4.
no longer able to hide from the rootkit detector and is
going to loose the game, it changes tactics and starts to
make a direct attacks against the detector. It might take a
more aggressive approach and prevents the rootkit detec- 5.
tor from starting. Or it could directly patch the rootkit
detector’s code to change its inner logic.
The statistical analysis that was performed, and discussed
in the earlier section on History and Trends, showed
that there has been a visible rise in the number of mal-
ware employing kernel-mode modules as part of their
payload. Majority of the modules have been kernel-mode
rootkits that the malware uses to hide its main compo-
nent and thus make its detection and removal as difficult
as possible.
This paper has shown the basic techniques that kernel
malware is using to do their job. Their main role has been
to perform some specific tasks for the main user-mode
component. However, the scene is changing. There has
been lots of interest in various research groups to inves-
tigate for the possibilities to do more complex tasks di-
rectly from kernel. The next big thing is going to be the
network side. This year we have already seen presenta-
tions talking about how backdoors can be implemented
directly from kernel mode using only the NDIS layer and
custom TCP/IP stack. We have also seen a presentation
about bypassing personal firewalls from kernel-mode.
Finally, the antivirus industry has seen Trojan-Clicker.
Win32.Costrat aka Backdoor.Rustock.B. For any mal-
ware researcher who has been analyzing kernel malware
this case should have been an eye-opener. It has shown
that complex tasks can be done from kernel mode with-
out affecting the overall system stability. Now, it is time to
start thinking how this threat can be countered.
media coverage of the A-311 Death (aka: Haxdoor)
trojan. Available from: <http://www.auscert.org.
au/render.html?it=6581>
2. Chiriac, Mihai. (2003). Virus Analysis 2: XP, A
New Virus Playground. Virus Bulletin Magazine
June 2003. ISSN 0956-9979. pp. 7-8.
Crazylord. (2002). Playing with Windows /dev/
(k)mem. Phrack Magazine, Issue 59. Available
from: <http://www.phrack.org/phrack/59/p59-
0x10.txt>
Florio, Elia. (2005). Feature 2: When Malware
Meets Rootkits. Virus Bulletin Magazine Decem-
ber 2005. ISSN 0956-9979. pp. 7-10.
Florio, Elia; Pathak, Prashant. (2006). Rootkit
Analysis: Raising the Bar, Rustock and Advances
in Rootkits. Virus Bulletin Magazine September
2006. ISSN 1749-7027. pp. 6-9.
6. F-Secure Virus Information Pages : Gurong.A.
Available from: <http://www.f-secure.com/v-
descs/gurong_a.shtml>
AVAR 2006 - Auckland
7. F-Secure Computer Virus Information Pages:
Haxdoor. Available from: <http://www.f-secure.
com/v-descs/haxdoor.shtml>
8. F-Secure Computer Virus Information Pages:
Haxdoor.ki. Available from: <http://www.f-se-
cure.com/v-descs/haxdoor_ki.shtml>
9. F-Secure Rootkit Information Pages: Mailbot.
AZ. Available from: <http://www.f-secure.com/
v-descs/mailbot_az.shtml>
10. F-Secure: News from the Lab - March of 2006 -
How Would You Like Your Bagle Done, with Root-
kits on the Side? Available from: <http://www.
f-secure.com/weblog/archives/archive-032006.
html#00000841>
11. F-Secure: News from the Lab – March of 2006
– From Russia with Rootkit. Available from:
<http://www.f-secure.com/weblog/archives/ar-
chive-032006.html#00000838>
12. F-Secure: News from the Lab – June 2006 – Hid-
ing the Unseen. Available from: <http://www.
f-secure.com/weblog/archives/archive-062006.
html>
13. F-Secure: News from the Lab - August of 2006
- Haxdoor.KI Being Spammed. Available from:
<http://www.f-secure.com/weblog/archives/ar-
chive-082006.html#00000951>
14. F-Secure: News from the Lab - October of 2006 -
Denmark targeted. Available from: <http://www.
f-secure.com/weblog/archives/archive-102006.
html#00000988>
15. Hoglund, Greg; Butler, James. (2005). Rootkits:
Subverting the Windows Kernel. Upper Saddle
River, NJ. Addison-Wesley Professional. 324 pag-
es. ISBN 0-321-29431-9.
16. Intel. (2006). Intel 64 and IA-32 Architectures
Software Developer’s Manual. Volume 1: Basic Ar-
chitecture. Mt. Prospect, IL, Intel Corporation.
Available from: < ftp://download.intel.com/de-
sign/Pentium4/manuals/25366521.pdf>
17. Intel. (2006). Intel 64 and IA-32 Architectures Soft-
ware Developer’s Manual. Volume 2A: Instruction
Set Reference, A-M. Mt. Prospect, IL, Intel Cor-
poration. Available from: <ftp://download.intel.
com/design/Pentium4/manuals/25366621.pdf>
AVAR 2006 - Auckland
18. Intel. (2006). Intel 64 and IA-32 Architectures Soft-
ware Developer’s Manual. Volume 2B: Instruction
Set Reference, N-Z. Mt. Prospect, IL, Intel Cor-
poration. Available from: <ftp://download.intel.
com/design/Pentium4/manuals/25366721.pdf>
19. Intel. (2006). Intel 64 and IA-32 Architectures
Software Developer’s Manual. Volume 3: System
Programming Guide. Mt. Prospect, IL, Intel Cor-
poration. Available from: <ftp://download.intel.
com/design/Pentium4/manuals/25366821.pdf>
20. Ionescu, Alex. (2006). Subverting Windows 2003
SP1 Kernel Integrity Protection Available from:
<Available from: http://www.tinykrnl.org/re-
con2k6.pdf>
21. Kasslin, Kimmo; Stahlberg, Mika; Larvala, Sam-
uli; Tikkanen, Antti. (2005). Hide ‘n seek revisited
– full stealth is back. IN: Proceedings of the 15th
Virus Bulletin International Conference, 5-7 Oc-
tober 2005, Dublin, Ireland. Abingdon, England,
The Pentagon. pp. 147-154.
22. Microsoft: Windows Driver Kit (WDK) – Over-
view. Available from: <http://www.microsoft.
com/whdc/devtools/wdk/default.mspx>
23. Nebbett, Gary. (2000). Windows NT/2000 Na-
tive API Reference. Indianapolis, Indiana, Sams
Publishing. 528 pages. ISBN 1-5787-0199-6.
24. Nikishin, Andy. (1999). Virus Analysis 2, Inside
Infis. Virus Bulletin Magazine November 1999.
ISSN 0956-9979. p. 8.
25. NT Drivers: Usenet Archives - Forum: comp.
os.ms-windows.programmer.nt.kernel-mode –
User mode APCs. Available from: <http://www.
cmkrnl.com/arc-userapc.html>
26. Randnut. (2004). Multiple WinXP kernel vulns
can give user mode programs kernel mode privileg-
es. BugTraq February 18. Available from: <http://
www.securityfocus.com/archive/1/354392>
27. Rootkit.com: Simple Hooking of Functions not Ex-
ported by Ntoskrnl.exe. Available from: <https://
www.rootkit.com/newsread.php?newsid=248>
28. Rootkit.com: Kernel mode sockets library for the
masses Available from: <https://www.rootkit.
com/newsread.php?newsid=416>
29. Rootkit.com: Kernel mode Ircbot Available
 rom: <https://www.rootkit.com/newsread.
php?newsid=467>

30. Rootkit.com: some ideAs About steAlth for rootkit

Available from: <http://www.rootkit.com/news-
read.php?newsid=445>

31. Rootkit.com: Showtime : *WORKING* Cre-

ateProcess in KernelMode! Available from:
< h t t p s : / / w w w. r o o t k i t . c o m / n e w s r e a d .
php?newsid=259>

32. Russinovich, Mark. (1998). NT’s “\dev\kmem”.

Available from: <http://www.sysinternals.com/
ntw2k/info/tips.shtml#kmem>

33. Rutkowska, Joanna. (2006). Rootkit Hunting vs.

Compromise Detection. IN: Proceedings of the
2006 Black Hat Federal, 25-26 January, Washing-
ton DC. Seattle, WA, Black Hat, Inc.

34. Solomon, David; Russinovich, Mark. (2005).

Microsoft Windows Internals: Microsoft Windows
Server 2003, Windows XP, and Windows 2000.
4th edition. Redmond, Washington. Microsoft
Press. 935 pages. ISBN 0-7356-1917-4.

35. Szor, Peter. (2000). Virus Analyses: Poetry In Mo-

tion. Virus Bulletin Magazine April 2000. ISSN
0956-9979. pp. 6-8.

36. Szor, Peter. (2005). The Art of Computer Virus

Research and Defense. Upper Saddle River, NJ.
Addison-Wesley Professional. 744 pages. ISBN
0-321-30454-3.

37. Microsoft Platform SDK Documentation Avail-

able from: <http://msdn.microsoft.com/library/
en-us/sdkintro/sdkintro/devdoc_platform_soft-
ware_development_kit_start_page.asp>

38. Hoglund, Greg. (2000). Loading Rootkit Us-

ing SystemLoadAndCallImage. BugTraq August
29. Available from: <http://www.securityfocus.
com/archive/1/79379>

AVAR 2006 - Auckland